Technical Alerts

After applying Microsoft KB980436, Internet Explorer fails to connect to some sites if intercepting SSL on the ProxySG

Technical Alerts ID:    TFA40
Version:    6.0
Status:    Published
Published date:    08/20/2010
Updated:    07/05/2011
 

Affected products and versions

ProxySG 4.2, 4.3, all 5.x versions 

Problem description

This assumes the following is true:

  • Client machine is XP SP3 (other service packs and Windows versions may be affected)
  • ProxySG is configured to intercept SSL using the "SSL Proxy" function
  • Client machine has downloaded and installed Microsoft KB980436

Once the security patch is applied, IE browsers will receive only a partial page, or receive the standard connection error "Page Cannot Be Displayed" depending on the client configuration.  This affects any website which uses TLS 1.0 in the SSL negotiation. (Related to TLSv1/SSLv3 renegotiation vulnerability)

 

Status

This issue has been identified and resolved in some lines of code, and a fix is coming for other lines.

Workaround

 There are four workarounds available for this issue.  These are listed by impact to the deployment and do not consider difficulty in applying the workarounds.  The least impact to the deployment is listed first.

  • Enable TLS 1.0 in Internet Explorer.  To do so, go to Tools > Internet Options > Advanced tab, scroll to the bottom section ("Security"), and check "Use TLS 1.0".  This can often be done globally using Group Policy Editor for Active Directory
  • Uninstall KB980436.  This can be done in the control panel > Add or Remove Programs.  Check the "Show Updates" box at the top and find "Security Update for Windows XP (KB980436)", and click Remove.  This may require a computer reboot.
  • Disable protocol detection on the HTTP service (Explicit Mode). To do this, go to the ProxySG Management Console and navigate to Configuration>Services>Proxy Services (this varies by version). Find the "HTTP..." service(s) and select it, click "Edit", disable the "Detect Protocol" check box, click OK, and click Apply. Note: This will bypass SSL interception for all HTTPS requests. However, you can configure policy to disable protocol detection for specific sites if  preferred. 
  • Set service port 443 to "bypass" on the ProxySG (Transparent Mode).  To do this, go to the ProxySG Management Console and navigate to Configuration > Services > Proxy Services (this varies by version).  Find "HTTPS" and change the action from "Intercept" to "Bypass".  Click Apply.  Note: This will bypass the proxy for all SSL traffic, including the use of any policy (access restrictions, content filter categorization, bandwidth management, etc.) and could subsequently cause port 443 traffic to be blocked by a firewall if only the proxy's IP address is allowed outbound. Therefore this is recommended only if the first two options cannot be used. 

 

Resolution

Secure renegotiation support is provided in the following releases.  A CLI option to require secure renegotiation is available and is disabled by default.  To enable the option, set the ssl command option force-secure-renegotiation to enable .

ProxySG 6.1 - a fix is available in SGOS 6.1.1.1 or later.  The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/5351.

ProxySG 5.5 - a fix is available in SGOS 5.5.4.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/41 .

ProxySG 5.4 - a fix is available in SGOS 5.4.5.1 or later.  If you are intercepting SSL, Blue Coat recommends that you upgrade to SGOS 5.4.6.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/17.

ProxySG 5.3 - please upgrade to a later version.

ProxySG 4.3 - a fix is available in SGOS 4.3.4.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/13 .

ProxySG 3.x - No fix is planned for this version.  Please upgrade to a later version.

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question